DOCSLIB.ORG

HTTPOS: Sealing Information Leaks with Browser-Side Obfuscation of Encrypted Flows

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
HTTPOS: Sealing Information Leaks with Browser-Side Obfuscation of Encrypted Flows HTTPOS: Sealing Information Leaks with Browser-side Obfuscation of Encrypted Flows § § § † § ‡ Xiapu Luo ∗, Peng Zhou , Edmond W. W. Chan , Wenke Lee , Rocky K. C. Chang , Roberto Perdisci The Hong Kong Polytechnic University§, Georgia Institute of Technology†, University of Georgia‡ § † ‡ {csxluo,cspzhouroc,cswwchan,csrchang}@comp.polyu.edu.hk , [email protected] , [email protected] Abstract be profiled from traffic features [29]. A common approach to preventing leaks is to obfuscate the encrypted traffic by Leakage of private information from web applications— changing the statistical features of the traffic, such as the even when the traffic is encrypted—is a major security packet size and packet timing information [13,23,35,38]. threat to many applications that use HTTP for data deliv- Existing methods for defending against information ery. This paper considers the problem of inferring from en- leaks, however, suffer from quite a few problems. A major crypted HTTP traffic the web sites or web pages visited by problem is that, as server-side solutions, they require modi- a user. Existing browser-side approaches to this problem fications of web entities, such as browsers, servers, and even cannot defend against more advanced attacks, and server- web objects [13,38]. Modifying the web entities is not fea- side approaches usually require modifications to web enti- sible in many circumstances and cannot easily satisfy differ- ties, such as browsers, servers, or web objects. In this paper, ent applications’ requirements on information leak preven- we propose a novel browser-side system, namely HTTPOS, tion. A second fundamental problem with these methods to prevent information leaks and offer much better scalabil- is that they are still vulnerable to some advanced traffic- ity and flexibility. HTTPOS provides a comprehensive and analysis attacks. For example, although Sun et al. [35] pro- configurable suite of traffic transformation techniques for posed twelve approaches to defeat their traffic-analysis at- a browser to defeat traffic analysis without requiring any tack based on web object size, new attacks based on the server-side modifications. Extensive evaluation of HTTPOS tuple of packet size and direction [26] could still identify on live web traffic shows that it can successfully prevent the the web sites visited by a user. Finally, the efficacy of these state-of-the-art attacks from inferring private information methods has not been validated thoroughly based on actual from encrypted HTTP flows. implementations and live HTTP traffic. An exception is the work from Chen et al. [13] that is implemented as an IIS extension and a Firefox add-on. 1 Introduction In this paper we explore a browser-side approach to pre- vent information leaks from encrypted web traffic. Com- pared with the server-side approach, the browser-side ap- Leakage of private information from web applications proach has the scalability advantage, because only the traf- is a major security threat to many applications that use fic between the browser and the visited servers needs to be HTTP for data delivery. Cloud computing and other similar obfuscated. Moreover, it is possible for users to choose service-oriented platforms will only exacerbate this prob- which encrypted flows to be obfuscated in order to con- lem, because these services are usually delivered through serve resources and to reduce impacts on performance, but web browsers. Moreover, it is well known that data encryp- this flexibility advantage is very difficult to obtain from a tion alone is insufficient for preventing information leaks. server-side approach. However, designing a browser-side For instance, traffic-analysis attacks can identify the web method is very challenging, because the server’s behavior sites visited by a user from encrypted traffic [7,22,23,26] cannot be directly modified to evade traffic analysis. That and anonymized NetFlows records [14]. Chen et al. have is, we cannot apply the previously proposed methods that further showed that sensitive personal information, such as assume the capability of modifying the server’s behavior to medical records and financial data, could also be inferred the browser-side approach. through traffic analysis [13]. Besides, a user’s browser We show in this paper that it is possible to devise a could be fingerprinted [39], and her browsing patterns could browser-side method to defeat traffic analysis by presenting ∗Most of the work by this author was performed while at Georgia Tech. HTTPOS (which stands for HTTP or HTTPS with Obfus- cation), our proposed browser-side method. In addition to and HTTPOS’s location. There are five entities in the threat the advantages discussed above, HTTPOS has several other models: a victim user (i.e., client in Figure 1), an attacker, important advantages, such as supporting a wider scope of an encrypted tunnel, HTTPOS, and remote web sites/pages. application scenarios than the previous approaches (see the The threat models for scenarios (a)-(c) were adopted in pre- threat model in Section 2). HTTPOS is a user-level pro- vious works, including Sun et al. [35], Liberatore et al. [26] gram and does not need to modify any web entity. It obfus- and Wright et al. [38], and the threat model for scenario (d) cates encrypted web traffic by modifying four fundamen- was adopted by Chen et al. [13]. tal network flow features on the TCP and the HTTP layers, In scenarios (a)-(c), a client visits a web site through an namely, packet size, timing of packets, web object size, and encrypted tunnel at different layers, for example, wireless flow size. These features, as shown in the evaluation, are channel with WEP/WPA [21], IPSec-based IP tunnel [37], sufficient for diffusing and confusing the existing traffic- and SSH-based TCP tunnel [6], and the attacker attempts to analysis attacks. To modify the traffic from web servers, find outthat web site. In scenario (d), a client visits different HTTPOS exploits a number of basic features in TCP (e.g., web pages at a certain web site. This attack model assumes Maximal Segment Size (MSS) negotiation and advertising that the attacker knows the web site, and she attempts to window) and HTTP (e.g., HTTP Range and HTTP Pipelin- discover the web pages visited by the client. Note that an ing). updated web page due to the client’s interactions with the We have implemented HTTPOS and conducted exten- web site is considered as a new web page from an attacker’s sive experiments on live HTTP traffic to evaluate its per- viewpoint. For example, some web sites (e.g., Google) may formance in terms of evading traffic-analysis attacks and return auto-suggested words upon receiving a user input. impacts on the performance of network flows. The re- These dynamically updated web pages are regarded as dif- sults show that HTTPOS can effectively prevent the state- ferent web pages. of-the-art attacks from inferring private information from In all four scenarios, the attacker eavesdrops the en- encrypted HTTP flows. As will be shown in Section 5.2, crypted tunnel to obtain the encrypted packets sent between without HTTPOS an attacker can achieve high accuracy the victim and web servers, but she cannot decrypt these of inferring the web sites visited by a user. For example, packets. To infer the visited web sites/pages from these some attacks can achieve 94% accuracy on inferring the encrypted packets, the attacker first profiles the character- 100 web sites we tested by selecting the one with the high- istics of the traffic between the victim and each candidate est confidence based on their classification algorithm. With web site/page. The traffic profiling depends on the traffic HTTPOS all attacks’ accuracy drops to zero for at least 98 analysis methods [7,13,22,23,26]. She can easily build web sites. Even if an attacker chooses the top five web sites such profiles by visiting those web sites/pages via the en- as her inference, the accuracy for at least 94 web sites re- crypted tunnels herself. Equipped with the set of traffic pro- mains zero for all attacks. Moreover, some traffic-analysis files, the attacker then performs the inference by classifying attack can easily infer a user’s input to the Google search the captured traffic trace into the traffic profiles prepared box. But when HTTPOS is applied, the output of such at- beforehand. From the viewpoint of pattern classification, tack is reduced to a random guess. the traffic profiling step is known as conducting supervised Section 2 first presents the threat model, and Section 3 learning to train a classifier, whose feature set is the traffic describes our strategies for evading traffic-analysis attacks profile, and the class label is the web site/page. Moreover, and methods for manipulating network flow features. After the inference step corresponds to labeling a traffic trace ac- that, we introduce HTTPOS’s design and implementation cording to the trained classifier [18]. in Section 4, followed by extensive experiment results in Section 5. We finally introduce the related work in Section HTTPOS obfuscates the encrypted traffic by exploiting the protocol features in TCP and HTTP. Since the TCP con- 6 before concluding this paper in Section 7. nection (and therefore the HTTP connection) is end-to-end in scenarios (a), (b), and (d), HTTPOS can be deployed at 2 Threat models the browsers. On the other hand, the browser’s TCP connec- tion is terminated at the tunnel entry in scenario (c). There- Unlike previous works, we consider in this paper both fore, when HTTPOS is deployed at the browsers for TCP (1) the problem of inferring the web sites visited by users tunnels, only the HTTP methods can be used for traffic ob- and (2) the problem of inferring the web pages browsed fuscation.
Load more

Recommended publications
  • HTTP2 Explained
    HTTP2 Explained Daniel Stenberg Mozilla Corporation [email protected] ABSTRACT credits to everyone who helps out! I hope to make this document A detailed description explaining the background and problems better over time. with current HTTP that has lead to the development of the next This document is available at http://daniel.haxx.se/http2. generation HTTP protocol: HTTP 2. It also describes and elaborates around the new protocol design and functionality, 1.3 License including some implementation specifics and a few words about This document is licensed under the the future. Creative Commons Attribution 4.0 This article is an editorial note submitted to CCR. It has NOT license: been peer reviewed. The author takes full responsibility for this http://creativecommons.org/licenses/by/4.0/ article’s technical content. Comments can be posted through CCR Online. 2. HTTP Today Keywords HTTP 1.1 has turned into a protocol used for virtually everything HTTP 2.0, security, protocol on the Internet. Huge investments have been done on protocols and infrastructure that takes advantage of this. This is taken to the 1. Background extent that it is often easier today to make things run on top of HTTP rather than building something new on its own. This is a document describing http2 from a technical and protocol level. It started out as a presentation I did in Stockholm in April 2014. I've since gotten a lot of questions about the contents of 2.1 HTTP 1.1 is Huge that presentation from people who couldn't attend, so I decided to When HTTP was created and thrown out into the world it was convert it into a full-blown document with all details and proper probably perceived as a rather simple and straight-forward explanations.
    [Show full text]
  • Improving Packet Caching Scalability Through the Concept Of
    IMPROVING PACKET CACHING SCALABILITY THROUGH THE CONCEPT OF AN EXPLICIT END OF DATA MARKER A Thesis Submitted to the Graduate School of the University of Notre Dame in Partial Fulfillment of the Requirements for the Degree of Master of Science in Computer Science and Engineering by Xiaolong Li, B.S., M.S. ________________________________ Aaron Striegel, Director Graduate Program in Computer Science and Engineering Notre Dame, Indiana July 2006 c Copyright by Xiaolong Li 2006 All Rights Reserved Improving Packet Caching Scalability Through the Concept of an Explicit End of Data Marker Abstract by Xiaolong Li The web has witnessed an explosion of dynamic content generation to provide web users with an interactive and personalized experience. While traditional web caching techniques work well when redundancy occurs on an object-level basis (page, image, etc.), the use of dynamic content presents unique challenges. Although past work has addressed mechanisms for detecting redundancy despite dynamic content, the scalability of such techniques is limited. In this thesis, an effective and highly scalable approach, Explicit End of Data (EEOD) is presented, which allows the content designer to easily signal bound- aries between cacheable and non-cacheable content. EEOD provides application- to-stack mechanisms to guarantee separation of packets with the end goal of sim- plifying packet-level caching mechanisms. Most importantly, EEOD does not re- quire client-side modifications and can function in a variety of server-side/network deployment modes. Additionally, experimental studies are presented, showing EEOD offers 25% and 30% relative improvements in terms of bandwidth efficiency and retrieval time over current approaches in the literature.
    [Show full text]
  • An Evaluation of the Webdav Extensions to the HTTP Protocol
    2000:138 MASTER'S THESIS An evaluation of the WebDAV extensions to the HTTP protocol Björn Nilsson Civilingenjörsprogrammet Institutionen för Systemteknik Avdelningen för Datorkommunikation 2000:138 • ISSN: 1402-1617 • ISRN: LTU-EX--00/138--SE An evaluation of the WebDAV extensions to the HTTP protocol Master’s Thesis in Computer Science Björn Nilsson January 2000 An evaluation of the WebDAV extensions to the HTTP protocol Abstract Abstract The HyperText Transfer Protocol (HTTP) is used for the most popular service on the Internet today – World Wide Web. WebDAV is a new extension to the HTTP protocol, which makes it possible to write, edit and share information across intranets and the Internet. In this Master’s Thesis, the WebDAV extensions are examined. A comparison between HTTP with WebDAV and the existing Internet protocols FTP and POP3 is done. Also a behavioral analysis of existing WebDAV applications is made. The conclusions are that HTTP with WebDAV extensions can replace both FTP and POP3. When using HTTP’s pipelining and persistent connections, better performance than with FTP is achieved. It seems like WebDAV can be used as a universal protocol for client-server solutions, gaining the advantages of HTTP such as encryption and caching. An evaluation of the WebDAV extensions to the HTTP protocol Preface Preface This Master’s Thesis has been made as the final part of my Master of Science degree in Computer Science and Engineering at Luleå University of Technology (LTU). The work has been carried out from September 1999 to January 2000 at Telia ProSoft AB in Malmö. I would like to thank my supervisor at Telia ProSoft, Anders Jönsson, for assistance and guidance throughout the work.
    [Show full text]
  • Hypertext Transfer Protocol with Privacy
    Hypertext Transfer Protocol With Privacy Anthroposophical Vinnie learn broadcast. Ehud counterplot faultily as Leninist Hamilton encumbers her stales monologuizes fussily. Presbyterian and explanatory Levy will her disimprisonment olorosos complement and Russianized inconsistently. This context and http separately: it currently has to accomplish the hypertext transfer protocol with privacy, and all the server machine where performance of the lead of some extraneous requirements Here we use with a hypertext document is typically default values for this. Http protocol to hide the privacy community of http and requests. It gets right facility the likely and simply explains the nitty gritty of HTTP. How hypertext transfer. Http protocol is hypertext transfer. This technique requires neither the use survey public key cryptography nor encryption. Secure transfer protocols with privacy? It with privacy policy is hypertext. The server MUST NOT process them further requests received on that connection. Clients and privacy or hypertext format of protocols that. MUST mention an Upgrade header field that indicate the acceptable protocols, in face of descending preference. URI and in Host header field. This previous protocol lacked the vicinity means to identify data sources or pole secure transport. Instead of hypertext transfer of a separate protocol? What goods the difference between HTTP request the response? The media type quality factor associated with a given type was determined by finding the media range define the highest precedence which matches that type. Often a transfer. Yes, it becomes a bit complicated, but despite who we service worker, know that not meant i keep HTTP as kept as banner was supposed to be.
    [Show full text]
  • Header Compression Consumes CPU and Memory Resources
    K4707: Choosing appropriate profiles for HTTP traffic Non-Diagnostic Original Publication Date: May 13, 2019 Update Date: Aug 12, 2019 Topic The BIG-IP system allows you to process HTTP traffic using various profiles, including TCP+HTTP, HTTP /2, Fast HTTP, and FastL4. Each profile, or combination of profiles, offers distinct advantages, limitations, and features. F5 recommends that you assess the needs of each HTTP virtual server individually, using the following information, to determine which profile, or profile combination, best meets the requirements for each virtual server. Important: The HTTP profile works in almost all cases; however, the HTTP profile places the BIG-IP system in full Layer 7 (L7) inspection mode, which may be unnecessary when used on simple load balancing virtual servers. Thus, you should consider the other profile options provided in instances where the full L7 engine is not necessary for a particular virtual server. HTTP profiles are not compatible when applied to encrypted HTTP traffic such as SSL passthrough traffic. HTTP Note: The HTTP profile requires that a TCP profile to be applied the virtual server. Choosing an optimized TCP profile may greatly improve performance when compared to using the default TCP profile. For more information, refer to K03553427: Using optimized TCP profiles. Advantage: The HTTP profile can take full advantage of all of BIG-IP system's Layers 4 - 7 HTTP/HTTPS features. When to use: The HTTP profile is used when any of the following features are required: IPv6 support TCP Express
    [Show full text]
  • Evaluating Web-Latency Reducing Protocols in Mobile Environments
    Master Thesis Electrical Engineering August 2013 Evaluating Web-latency reducing Protocols in Mobile Environments Usama Shamsher Wang Xiao Jun School of Computing Blekinge Institute of Technology SE-371 79 Karlskrona Sweden This thesis is submitted to the School of Computing at Blekinge Institute of Technology in partial fulfillment of the requirements for the degree of Master of Science in Electrical Engineering. The thesis is equivalent to 20 weeks of full time studies. This Master Thesis is typeset using LATEX Contact Information: Author(1): Usama Shamsher E-mail: [email protected] Author(2): Wang Xiao Jun E-mail: [email protected] University advisor: Dr. David Erman School of Computing University Examiner: Dr. Patrik Arlos School of Computing School of Computing, Department of Telecommunication Sys- tems Blekinge Institute of Technology Internet : www.bth.se/com SE-371 79 Karlskrona Phone : +46 455 38 50 00 Sweden Fax : +46 455 38 50 57 Abstract User perceived latency is the most prominent performance issue influenc- ing the World Wide Web (www) presently. Hyper-Text Transfer Protocol (HTTP) and Transmission Control Protocol (TCP) have been the backbone of web transport for decades, thus received a lot of attention recently due to end-to-end performance degradation in mobile environments. Inefficiencies of HTTP and TCP strongly affect web response time mainly in resource- limited devices. HTTP compression reduces some of the burden imposed by TCP slow start phase. However, compression is still an underutilized fea- ture of the web today [1]. In order to fulfill the end user expectations, we can optimize HTTP to improve Page Load Time (PLT), low memory usage and better network utilization.
    [Show full text]
  • Architectural Styles of Extensible REST-Based Applications
    Institute for Software Research University of California, Irvine Architectural Styles of Extensible REST-based Applications Justin R. Erenkrantz University of California, Irvine [email protected] August 2006 ISR Technical Report # UCI-ISR-06-12 Institute for Software Research ICS2 110 University of California, Irvine Irvine, CA 92697-3455 www.isr.uci.edu www.isr.uci.edu/tech-reports.html Architectural Styles of Extensible REST-based Applications Justin R. Erenkrantz Institute for Software Research University of California, Irvine Irvine, CA 92697-3425 [email protected] ISR Technical Report # UCI-ISR-06-12 August 2006 Abstract: At the beginning of the World Wide Web (WWW or Web), there was no clear set of principles to guide the decisions being made by developers and architects. In these early days, a cacophony emerged without a clear direction to guide the evolution of the Web. If there was any direction during the inception of the Web, it was a weak focus on how communication might occur between machines on the Web and the content that was to be transferred. Within a matter of a few years, scalability and other design concerns threatened the future of the early Web - this led to the introduction of REpresentation State Transfer architectural style (REST). The REST style imposed constraints on the exchange of communication over the Web and provided guidance for further modifications to the underlying protocols. The introduction of REST, through the HTTP/1.1 protocol, restored order to the Web by articulating the necessary constraints required for participation. In this survey, we will characterize any environment that is governed by REST constraints to be in a RESTful world.
    [Show full text]
  • Chapter 1, “Overview”
    CHAPTER 1 Overview The Cisco Content Services Gateway (CSG) is a high-speed processing module that brings content billing and user awareness to the Cisco Catalyst 6500 series switch or Cisco 7600 series router platforms. The CSG is typically located at the edge of a network in an Internet service provider (ISP) Point of Presence (POP), or Regional Data Center. The CSG offers more than standard IP flow accounting; the CSG also examines various protocol requests (Wireless Application Protocol [WAP], Mail, FTP, RTSP, and HTTP) to gather URLs and other header information for accounting purposes. Additionally, the CSG gathers information on usernames and usage statistics, and enables differentiated billing for individual transactions based on hostname, on the directory accessed, or on individual files. The CSG inspects IP traffic at levels deeper than typical routers. When doing so, the CSG behaves partly as a proxy server. As such, you should design your network security strategy to protect the CSG as you would any proxy or server. This section includes the following information: • What’s New, page 1-1 • Features from Previous Releases, page 1-13 • Dependencies and Restrictions, page 1-38 What’s New The CSG 3.1(3)C5(5) includes the following new features: • HTTP Pipelining and Chunked Transfer Encoding, page 1-2 • TCP Byte Counts for HTTP Billing, page 1-2 • WAP Support for URL Rewriting, page 1-2 • Service Verification, page 1-3 • RADIUS Handoff Support, page 1-3 • Fixed CDR Support for HTTP, page 1-4 • Fixed CDR Support for RTSP, page 1-4
    [Show full text]
  • HTTP/2: Analysis and Measurements
    View metadata, citation and similar papers at core.ac.uk brought to you by CORE provided by Universidad Carlos III de Madrid e-Archivo UNIVERSIDAD CARLOS III DE MADRID ESCUELA POLITÉCNICA SUPERIOR DEPARTAMENTO DE INGENIERÍA TELEMÁTICA ITT: Sistemas de Telecomunicaciones Proyecto Fin de Carrera HTTP/2: Analysis and measurements Author: José Fernando Calcerrada Cano Tutor: Marcelo Bagnulo Braun Cotutor: Anna Maria Mandalari January 2016 “This, Jen, is the Internet.” Maurice Moss, IT Crowd. Abstract HTTP/2: Analysis and measurements by José Fernando Calcerrada Cano The upgrade of HTTP, the protocol that powers the Internet of the people, was published as RFC on May of 2015. HTTP/2 aims to improve the users experience by solving well- know problems of HTTP/1.1 and also introducing new features. The main goal of this project is to study HTTP/2 protocol, the support in the software, its deployment and im- plementation on the Internet and how the network reacts to an upgrade of the existing protocol. To shed some light on this question we build two experiments. We build a crawler to monitor the HTTP/2 adoption across Internet using the Alexa top 1 million websites as sample. We find that 22,653 servers announce support for HTTP/2, but only 10,162 websites are served over it. The support for HTTP/2 Upgrade is minimal, just 16 servers support it and only 10 of them load the content of the websites over HTTP/2 on plain TCP. Motivated by those numbers, we investigate how the new protocol behaves with the middleboxes along the path in the network.
    [Show full text]
  • Computer Networking COMP 177 | Fall 2020 | University of the Pacific | Jeff Shafer HTTP/3 (Also: HTTP/2, SPDY, QUIC) 2
    ì Computer Networking COMP 177 | Fall 2020 | University of the Pacific | Jeff Shafer HTTP/3 (also: HTTP/2, SPDY, QUIC) 2 ì HTTP/2 (and “Google SPDY”) Computer Networking Fall 2020 3 Timeline ì HTTP/0.9 (not an RFC: https://www.w3.org/Protocols/HTTP/AsImplemented.html ) ì Initial version of HTTP — a simple client-server, request-response, telnet-friendly protocol ì Request nature: single-line (method + path for requested document) ì Methods supported: GET only ì Response type: hypertext only ì Connection nature: terminated immediately after the response ì No HTTP headers (cannot transfer other content type files), No status/error codes, No URLs, No versioning Computer Networking https://medium.com/platform-engineer/evolution-of-http-69cfe6531ba0 Fall 2020 4 Timeline ì HTTP/1.0 – RFC 1945 (May 1996) ì Browser-friendly protocol ì Provided header fields including rich metadata about both request and response (HTTP version number, status code, content type) ì Response: not limited to hypertext (Content-Type header provided ability to transmit files other than plain HTML files — e.g. scripts, stylesheets, media) ì Methods supported: GET , HEAD , POST ì Connection nature: terminated immediately after the response Computer Networking https://medium.com/platform-engineer/evolution-of-http-69cfe6531ba0 Fall 2020 5 Timeline ì HTTP/1.1 – RFC 2068 (January 1997) ì Performance optimizations and feature enhancements ì Persistent and pipelined connections ì Chunked transfers ì Compression/decompression ì Virtual hosting (a server with a single IP address
    [Show full text]
  • Http Request and Response
    Http Request And Response Patrice undermine mushily. Hierarchic and dipetalous Kevin dichotomise, but Sivert landward festinated her beseechers. Eric is transparently Afro-Asian after splenial Welbie denoted his purlines swinishly. The Server will deploy the pill body. The hot body, forwards the request create an inbound server, an get on the cache can reveal information long dream a user believes that the information has been removed from possible network. If and https. HTTP Fields Elastic Common Schema ECS Reference 17. Every HTTP interaction includes a folder and a harness By my nature HTTP is stateless Stateless means keep all requests are arise from. Warnings are http request are different summary with? HTTP Request Headers and CloudFront Behavior Custom. This class now performs all their necessary certificate and hostname checks by default. An HTTP response except what web clients often browsers receive it an Internet server in overall to an HTTP request These responses communicate valuable. May be stale responses from and https whenever their mime type header applies rules and encryption. URL of the server. Date is and response for. Tls and response message id is requested document if request for credentials sent to access and will be conservative behavior and larry masinter for a thread. HTTP verb was used for self request. Http listener servlet reads out css etc, it and an html document against threats to apply adjustments to use this loop controller will only one. POST request, them all that possible matches in the sampler data are processed. Container environment security for enter stage of drain life cycle.
    [Show full text]
  • Computational REST: a New Model for Decentralized, Internet-Scale Applications
    UNIVERSITY OF CALIFORNIA, IRVINE Computational REST: A New Model for Decentralized, Internet-Scale Applications DISSERTATION submitted in partial satisfaction of the requirements for the degree of DOCTOR OF PHILOSOPHY in Information and Computer Science by Justin Ryan Erenkrantz Dissertation Committee: Professor Richard N. Taylor, Chair Professor Debra J. Richardson Professor Walt Scacchi 2009 Portions of Chapters 2,3,4,5 adapted from “From Representations to Computations: The Evolution of Web Architectures,” in Proceedings of the 6th Joint Meeting of the European Software Engineering Conference and the ACM SIGSOFT Symposium on the Foundations of Software Engineering (September, 2007) © ACM, 2007. http://doi.acm.org/10.1145/1287624.1287660 Used with permission under Section 2.5 “Rights Retained by Authors” of the ACM Copyright Policy All other content © 2009 Justin Ryan Erenkrantz ii DEDICATION to Mom and Dad who always gave their unwavering love even when their son chose the hard road iii TABLE OF CONTENTS Page LIST OF FIGURES vi LIST OF TABLES viii ACKNOWLEDGEMENTS ix CURRICULUM VITAE xii ABSTRACT OF THE DISSERTATION xv INTRODUCTION 1 CHAPTER 1: Architectural Styles of Extensible RESTful Applications 8 Software Architecture and Frameworks 8 Software Architecture in the World Wide Web 9 Representational State Transfer 10 Selecting Appropriate REST-based Applications 14 Framework Constraint Prism 15 REST Constraints 18 Architectural Characteristic Matrix 19 Origin Servers 19 User Agents 40 Libraries and Frameworks 70 Constructing RESTful
    [Show full text]